Previously, previously, previously, previously, previously, previously, previously.

AI slop has been doing real damage to bug bounty programs. My company has expended significant engineering resources wading through the garbage. The bug bounty platforms do a decent job of filtering but some things are simply outside their expertise and need to be forwarded along.

This is an unfortunate turn of events. A few years ago false security reports were not terribly onerous and even when they happened they were usually someone earnestly thinking they’d found something. Even when the person was horribly confused they were usually serious enough that it felt right to try to encourage them.

To be clear, there’s nothing wrong with using AI as a tool for searching for bugs. If someone finds a completely legitimate security problem using AI as part or all of their toolchain and submits a properly formatted report they are free to claim it. I would give the benefit of the doubt and think that even the mostly bogus reports we’re getting are from people who are doing nontrivial amounts of work to train models specifically for bug finding with their own filters and processing to maximize chances of success. They must be submitting because they have some real hit rate.

The problem is that the burdens of evaluating false positives are borne entirely by the entity handing out the rewards. This wasn’t a problem back when submissions were done manually because back then having an instance of a report which was probably wrong but having a 1% chance of success was rare, and the costs of validating such things properly were small compared to the costs of coming up with the possible attack in the first place, and if you did submit and got a follow-up question answering it was a real burden on the submitter. Now none of those things apply so there’s a flood of low probability but worth a shot reports.

The solution to this I’d like to propose is something which would have been completely verboten a few years ago but now unfortunately may be necessary: Anyone submitting for a bug bounty should have to put down a deposit. Even a relatively low amount like $100 would probably make a huge difference. Ideally there’s a policy in place that there’s a generous refund program that submissions which are at all earnest get their deposit back even if they’re mistaken. If that causes too much arguing about what’s ‘earnest’ it may be necessary to make it a fee rather than a deposit, but I think it’s always legally okay to have a policy of returning such fees as long as it’s made clear up front that it’s completely discretionary on the part of the evaluator.

No doubt this suggestion will make some people very upset because it completely violates the traditional ethos of how bug bounties work. It would also create an opportunity for scammers to set up bug bounties for fake projects with lots of security holes which they then pocket the fees for submissions on and refuse to pay out any owed bug bounties. These are real problems and there are mitigations but rather than diving into the weeds I’d just like to say I know and I’m sorry but the situation is sufficiently out of control that this is probably necessary. I’m suggesting this publicly so I can be the bad guy who other people point to when they suggest it as well.

Previously, previously, previously.

DOI cracks down on stickers covering Trump's face on national park passes:

The Department of the Interior recently updated its "Void if Altered" rules for 2026, explicitly flagging stickers and other coverings as alterations that could invalidate the pass. The move appears to respond to visitors preparing to cover the image of Trump, which was set to begin appearing on passes Jan. 1 despite legal challenges.

Previously, previously, previously, previously, previously, previously, previously, previously.

*Court staff cover up Banksy image of judge beating a protester.* Banksy painted in on the side of a court building.

Crisis Intervention Training for cops, teaching them how to treat someone having a drug overdose, makes for a decrease in overall deaths from drug overdose.

*Israel used to lie about killing journalists; now it barely bothers to do so. What happened?*

A new report says that worldwide, the maximum [temperature] reduction that carbon capture and storage could manage for the atmosphere would be 0.7C, far short of the 5C to 6C industry and governments claim.

In effect, CC&S is a distraction that enables planet roasters to reduce the social pressure to reduce their greenhouse emissions.

Right-wing extremists are trying to eliminate all vestige of the 20th century ideas of equal rights for non-whites, for non-Christians, and for women.

Canada warns that US government institutions should not be trusted for medical advice.

I've urged my clinics and my state government to refer to something reliable rather than US institutions such as the CDC.

It is unlikely that the US intervention in Venezuela will have a simple resolution.

The wrecker and his henchmen have stated no plan for what to do next, which suggests that whatever they do will make an even bigger mess.

The US used to intervene militarily often in weaker countries in the Americas.

US citizens: call on news media to stop presenting oversimplified statements about inflation and its effects.

When part of San Francisco had a power outage, and traffic lights shut off, Waymo driverless taxis (which are not "autonomous") were commanded simply to stop at intersections. That was better than driving normally without traffic lights, but it blocked intersections and they stayed blocked.

Most of the Americans that magats seek to kick off Medicaid for "not working" do in fact work, but the difficulty of proving this over and over will kick them off anyway.

Why, why would you do that!

A square tiling makes sense. A triangular or hexagonal tiling makes more sense. A Fibonacci spiral makes the most sense. But what the absolute clustering-fuck is this shit? This layout gets more cursed the more you look at it.

For those of you not in San Francisco: we have an old freeway running right past the ocean. It is falling into the ocean, and for decades had been closed like 20% of the time as backhoes regularly had to be deployed to haul sand dunes off the freeway.

So eventually sane minds at SFMTA said, "Well this fucking sucks, let's just close it and make it a park" and the voters overwhelmingly said yes.

People love it, merchants love it.

But it turns out that there are so many car-brains in the Sunset District ("The Staten Island of SF") that they will literally burn the world to the ground if it makes them have to drive 2 blocks out of the way. Like they have recalled their supervisor over this, filed multiple specious lawsuits, and constantly vandalize the artwork in the new park. Oh, and after that recall, our car-brain millionaire Mayor Danny Bluejeans spectacularly stepped on his own dick, which was just... *chef kiss*.

Anyway,

Judge tosses lawsuit claiming Great Highway closure was illegal:

A San Francisco judge denied all arguments in a lawsuit that sought to undo Prop. K and return cars back to the coastal road. The voter-approved ballot measure to turn the Upper Great Highway into a park remains intact.

Previously, previously, previously, previously, previously, previously, previously.

Before diving into this it would be helpful for you to read my basic music theory post and possibly more music theory.

Counterpoint is often described vaguely as ‘two voices playing off each other’. There are different phenomena which are referred to as counterpoint, but they all have two things in common: There’s more than one melodic line, and they aren’t playing in parallel. The most basic form of this is caused by an internal contradiction within the diatonic scale, best illustrated by labelling every other key like so:

You might notice that the white and yellow keys each form their own nice sub-scales where every pair of adjacent notes is a (major or minor) third apart and with one exception every pair notes two apart forms a fifth. This make the scale have similar properties to the pentatonic in that you can bang on notes roughly at random and it will all sound consonant, but it has two weaknesses: It has even fewer notes per scale than the pentatonic at 3.5 per octave, and it doesn’t contain the octave, which is the strongest consonance on the piano. To illustrate this the C notes above have been given asterisks, and you can see they alternate between white and yellow. This is because there are seven notes in the octave and seven is an odd number. In case you’re wondering why it’s called an ‘octave’ which indicates eight that’s because the vernacular predates people believing zero was a real number so all the interval names are off by one.

The result of the above is that a lot of melodic lines clash if they’re played in parallel with another instrument one octave off. If they’re two octaves off it returns to the same half-scale and it’s safe to play in parallel again. When there are two instruments about an octave apart they tend to dance around each other, playing in the same half-scale or hitting the octave on the off-beat or otherwise doing whatever they can to avoid playing a second against the other other instrument when one of them hits a seventh. This dancing around is referred to as ‘counterpoint’.

This phenomenon doesn’t apply to the pentatonic scale where it’s always consonant to play the same melodic line in parallel an octave apart.

Previously, previously, previously.